Splunk Search

recalculate format of mac address dependent on input

Ida_2017
Explorer

Dear community

I am struggling with how to allow different format in a search input, but still finding the corresponding events

In my events I have mac addresses of this format 84-57-33-0D-B4-A8

I have built a dynamic dashboard where the mac adresses are found if the user types in exactly this format .

However the user might search for a mac address like this 

8457330DB4A8 

or

84:57:33:0D:B4:A8

so in order to find results successfully, I have to recalculate the two inputs, so that are changed to the expected format.

So a test query like this recalculates the first format

|makeresults

| eval m = "aab2c34be26e"

| eval MAC2 = substr(m,1,2)."-".substr(m,3,2)."-".substr(m,5,2)."-".substr(m,7,2)."-".substr(m,9,2)."-".substr(m,11,2)

| fields MAC2

 

a test query like this recalculates the second format:

|makeresults

| eval m = "aa:c3:4b:e2:6e"

| eval MAC2 = replace (m,":","-")

| fields MAC2

 

But I am failing to combine it to a joint query dependent on the input

if my $mac$ address can be all three formats, then I have to choose the recalculation dependent on the input.

 

My idea would be to write a condition  with a regex match of $mac$ with

 

([0-9A-Fa-f]{2}[-]){5}  then no  recalculation

([0-9A-Fa-f]{2}[:]){5} then  replace like shown above

([0-9A-Fa-f]{2}){5} then  substitute like shown above

 

I tried several ways of CASE and IF, but never got it to work... any help highly appreciated!

Thanks

 

 

Labels (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

MYsearchstring
| eval mac="$mac$"
| rex field=mac max_match=0 "(?<m>[0-9A-Fa-f\*]{1,2})" 
| eval formatted_mac=replace(if(len(mac)>2, mvjoin(m,"-"), mac),"\*",".*") 
| where match(EndPointMACAddress,formatted_mac)
| table NetworkDeviceName NAS_Port_Id EndPointMACAddress vendor_action

View solution in original post

0 Karma

somesoni2
Revered Legend

Give this a try

MYsearchstring
| eval mac="$mac$"
| rex field=mac max_match=0 "(?<m>[0-9A-Fa-f\*]{1,2})" 
| eval formatted_mac=replace(if(len(mac)>2, mvjoin(m,"-"), mac),"\*",".*") 
| where match(EndPointMACAddress,formatted_mac)
| table NetworkDeviceName NAS_Port_Id EndPointMACAddress vendor_action
0 Karma

Ida_2017
Explorer

thanks! Worked excellent. Still  trying to understand the if statement, but I will get there 🙂

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Pick out pairs of characters, then recombine them

| makeresults
| eval mac1="84-57-33-0D-B4-A8"
| eval mac2="8457330DB4A8"
| eval mac3="84:57:33:0D:B4:A8"
| rex field=mac1 max_match=0 "(?<mac>[0-9A-Fa-f]{2})"
| eval addr1=mvjoin(mac,"-")
| rex field=mac2 max_match=0 "(?<mac>[0-9A-Fa-f]{2})"
| eval addr2=mvjoin(mac,"-")
| rex field=mac3 max_match=0 "(?<mac>[0-9A-Fa-f]{2})"
| eval addr3=mvjoin(mac,"-")
0 Karma

Ida_2017
Explorer

Hello

 

thanks, that really helped me a lot. I have one last problem though, if the user in my dynamic dashboard does not type in a mac adress, but uses * in order to see all adressed, the search does not work correctly any longer.

This is my search with the varable

MYsearchstring
| eval mac="$mac$"
| rex field=mac max_match=0 "(?<mac>[0-9A-Fa-f]{2})" | eval addr1=mvjoin(mac,"-") | where EndPointMACAddress=addr1 | table NetworkDeviceName NAS_Port_Id EndPointMACAddress vendor_action

this is the example where the user would use the format C4:E9:0A:B7:F5:76 for the variable

MYsearchstring
| eval mac="C4:E9:0A:B7:F5:76" | rex field=mac max_match=0 "(?<mac>[0-9A-Fa-f]{2})"
| eval addr1=mvjoin(mac,"-")
| where EndPointMACAddress=addr1 | table NetworkDeviceName NAS_Port_Id EndPointMACAddress vendor_action

that works fine.

 

But if the variable is * it does not work. I would like to be able to display all found mac adresses in the table...


MYsearchstring
| eval mac="*" | rex field=mac max_match=0 "(?<mac>[0-9A-Fa-f]{2})"
| eval addr1=mvjoin(mac,"-")
| where EndPointMACAddress=addr1 | table NetworkDeviceName NAS_Port_Id EndPointMACAddress vendor_action

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex field=mac1 max_match=0 "(?<mac1>[0-9A-Fa-f]{2})"
| eval addr1=mvjoin(mac1,"-")
| eval addr1=replace(addr1,"\*",".*")
| where match(EndPointMACAddress,addr1)
0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...